topic Re: sum multiple fields based on the field only in Splunk Search

sum multiple fields based on the field only

moayadalghamdi — Sun, 20 Jun 2021 07:55:08 GMT

Hello Splunkers

in my firewall logs, i have three numerical fields, (out_packet, in_packet, bytes)

i want to sum these values each field individually but a i want the answer in one record

for example:

index=firewall
| timechart sum (bytes) as bytes , sum (in_packet) as in_packet, sum (out_packet) as out_packet

unfortunately it didn't work, please help me with it

Thanks ^_^

Re: sum multiple fields based on the field only

ITWhisperer — Sun, 20 Jun 2021 08:00:46 GMT

index=firewall | stats sum (bytes) as bytes , sum (in_packet) as in_packet, sum (out_packet) as out_packet

Re: sum multiple fields based on the field only

moayadalghamdi — Sun, 20 Jun 2021 08:05:45 GMT

Thanks for the prompt response ^_^

but i need it in time chart for visualization, help me with it plz

Thanks ^_ ^

Re: sum multiple fields based on the field only

ITWhisperer — Sun, 20 Jun 2021 08:24:41 GMT

Stats will give you one record as you said. Timechart will give you lots of records (assuming the time span is wide enough). How are the results you originally had not what you wanted?

Re: sum multiple fields based on the field only

moayadalghamdi — Sun, 20 Jun 2021 08:41:56 GMT

Sorry, i just noticed that my post was confusing

what i want is to show the the trends of these three fields in a "line chart" visualization

i want the trend by any value of my choosing

for example i want like this, but with multiple fields based on the search

Re: sum multiple fields based on the field only

ITWhisperer — Sun, 20 Jun 2021 08:53:16 GMT

It is still not clear why timechart is not working for you

Re: sum multiple fields based on the field only

moayadalghamdi — Sun, 20 Jun 2021 08:55:44 GMT

wait, the problem if from my side, my log sources have missing data.

sorry for that, BTW you helped my a lot in many posts, thanks whisperer ^_^